Hacking the Supply Chain 
The Ripple20 Vulnerabilities Haunt Hundreds of Millions of Critical 


Devices 
DEF CON 28 Safe Mode 


JSOF - 


Who are we? 


JSOF is a software security consultancy 


e Shlomi Oberman, co-founder, JSOF 
* Moshe Kol, Security researcher, JSOF; Finder of Ripple20 


* Ariel Schon, Security researcher, JSOF 


Agenda 
* Ripple20 
* CVE-2020-11901 


* Exploiting CVE-2020-11901 


Ripple20 

Series of 19 zero-day vulnerabilities in Treck TCP/IP” 
* Amplified by the supply chain 

* 1005 of millions of devices 


* Medical, ICS, Home, Enterprise, Transportation, Utilities 


Ripple20 
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e Acritical remote code execution vulnerabilities 
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Ripple20 
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e 8 medium-high severity vulnerabilities 


CVE-2020-11911 
CVE-2020-11912 
CVE-2020-11913 
CVE-2020-11914 


100's of Millions of Devices Affected 
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And many more... 


100's of Millions of Devices Affected 
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e Assumption: Every mid-large US organization has one 
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Vulnerabilities 
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Icon from www.flaticon.com 


Why Treck TCP/IP? 


e Supply chain - mostly unexplored 

* 1 vulnerability == multiple products 
* Large loT impact 

* Zombie vulnerabilities 


e Good attack surface 


Treck TCP/IP 


e Treck is a small American company 

* Treck TCP/IP is a proprietary TCP/IP stack; Available >20 years 
* Embedded devices and RTOS 

* Very configurable. Each Treck instance is different. 


e Strategically located at the start of a long supply-chain 


Ripple20 Research 

* Reverse engineering of 6 different devices with multiple versions 
* Every device has a different configuration 

* Ongoing research Sep'19 - Jun'20 ( 9 months ) 


e Some strange architectures and firmwares involved 


2 whitepapers released 
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About CVE-2020-11901 


Critical vulnerabilities in Treck's DNS Resolver component. 
Once successfully exploited, allows for remote code execution. 
e Can traverse NAT boundaries. 


* 4 vulnerabilities and 1 artifacts. 
* Vary over time and vendor. 
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CVE-2020-11901 


AKA “the DNS bugs” 


DNS Primer: The Basics 


* The DNS protocol maps between domain names and IP addresses. 
* Client resolves a name by issuing a query to a DNS server. 
e The DNS server looks up the name and returns a response. 


Name: www.example.com 


Type: A 
= a E E Query v EE 
Client DNS Server 
EE d4——-—---------- Response 
Name: www.example.com 
Type: A 
TTL: 86400 


Value: 93.184.216.34 
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DNS Primer: Record Types 


* DNS servers can return multiple answers in the same DNS response. 
e An answer is specified as a resource record: 


NAME TYPE CLASS TTL RDLENGTH RDATA 
(var) (2 bytes) (2 bytes) (4 bytes) (2 bytes) (var) 


* Questions and answers have a type. Common types include: 


Type Description 


A IPv4 address for the queried domain. 
CNAME Alias (canonical name). 


MX Domain name of a mail server for the queried domain. 


Domain Names Encoding 


e Domain names are encoded as a sequence of labels. 
* Each label is preceded by a length byte. 
* Maximum label length is 63. 


length length length end 


DNS Message Compression 


* Compression is achieved by replacing a sequence of labels with a 
pointer to prior occurrence of the same sequence. 
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e Compression pointer is encoded in two bytes, the first begins with 11. 
2 16 
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DNS Parsing Logic: Type MK 


if (cacheEntryQueryType == DNS TYPE MK 88 rrtype == DNS TYPE MK) { 
addr info = tfDnsAllocAddrInfo(); 
if (addr info != NULL) 1 


memcpy(&addr info->ai mxpref, resourceRecordAfterNamePtr + 10, 2); 
labellength = tfDnsExpLabellength(resourceRecordAfterNamePtr + Oxc, pktDataPtr) ; 
addr_info->ai_mxhostname = NULL; 
if (labelLength !- 0) { 
asciiPtr = tfGetRawBuffer(labelLength) ; 
addr_info->ai_mxhostname = asciiPtr; 


if (asciiPtr != NULL) 1 


tfDnsLabelToAscii(resourceRecordAfterNamePtr + @xc, asciiPtr, pktDataPtr) ; 


*Pseudo-code 


DNS Label Length Calculation 


ttleBit tfDnsExpLabelLength(tt8BitPtr labelPtr, tt8BitPtr pktDataPtr){ 
tt8Bit currLabelLength; 
tt16Bit i = 0, totalLength = 0; 


while (labelPtrlil != 0) { 
currLabelLength = labelPtr[i]; 
if ((currLabelLength 8 @xc@) == 0) 1 
totalLength += currLabelLength + 1; 


i += currLabelLength + 1; 
} else { 
newLabelPtr = pktDataPtr + (((currLabelLength & @x3f) << 8) | labelPtr[i+1]); 
if (newLabelPtr >= labelPtr) { 
return 0; 


} 
labelPtr = newLabelPtr; 


*Pseudo-code 


Vulnerability #1: Read Out-Of-Bounds 


e tfDnsExpLabelLength might read data out of the packet buffer 
while iterating over the length bytes (stops at a zero length byte). 


* Could result in denial-of-service (e.g., read from unmapped page). 
* Information leakage: 

et fDnsLabelToAscii has no bounds check either. 

e Data from the heap could be interpreted as an MX hostname. 

* Data is leaked when the client tries to resolve the MX hostname. 


e Affects Treck version 4.74, fixed later. ("PEREAT ES 


RCE 
* Sweet! but we want RCE... ASA e 
EU 
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More Issues with t TDnsExpLabellength 


e Maximum domain name of 255 characters is not enforced. 


* Does not validate the characters of the domain name: should be 
alphanumeric and '-' only. 


* totalLength variable is stored as an unsigned short (tt16Bit). 


tfDnsExpLabelLength( labelPtr, pktDataPtr){ 
tt8Bit currLabelLength; 
tt16Bitli = 0,|totalLength|- 0; 


return totalLength; 
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More Issues with tfDnsExpLabelLength 


e Maximum domain name of 255 characters is not enforced. 

* Does not validate the characters of the domain name: should be 
alphanumeric and - only. 

* totalLength variable is stored as an unsigned short (tt16Bit). 


INTEGER OVERFLOW 
| | | 
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Vulnerability #2: Integer Overflow 


* We need to construct a name whose length is larger than 65536. 


* Can we overflow the totalLength variable within a DNS response 
packet? 


* Yes! We use the DNS compression feature to achieve this. 
* Idea: nested compression pointers. 
* Two challenges: 


* Maximum size of the DNS response packet allowed is 1460 bytes. 
e We can only jump backwards from our current label pointer. 
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Integer Overflow 
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Vulnerability #2: Integer Overflow 
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Vulnerability #2: Integer Overflow 


e To maximize the totalLength, we used the maximum label length 
63 (Ox3f) instead of @xOF shown in the example. 


e Using this construction, we reached a name of length “72700 bytes, 
overflovving the totalLength variable. 


e We have an RCE candidate © 


* Can be triggered in response to every query type supported - using 
CNAME records. 


e Affects Treck versions <= 6.0.1.66. 
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Bad Fix 


Bad Fix for the Read Out-Of-Bounds Vulnerability 


Fixing the Read Out-Of-Bounds 


if (RDLENGTH <= remaining size) { 
labelEndPtr = resourceRecordAfterNamePtr + 10 + RDLENGTH; 
if (cacheEntryQueryType == DNS TYPE MX 88 rrtype == DNS TYPE MX) { 
addr info = tfDnsAllocAddrInfo(); 
if (addr_info != NULL && RDLENGTH >= 2) { 


memcpy (&addr info->ai mxpref, resourceRecordAfterNamePtr + 10, 2); 


labellength = tfDnsExpLabelLength(resourceRecordAfterNamePtr+@xc , dnsHeaderPtr, labelEndPtr) ; 
addr_info->ai_mxhostname = NULL; 
if (labelLength != 0) { 


asciiPtr = tfGetRawBuffer(labelLength) ; 
addr_info->ai_mxhostname = asciiPtr; 
if (asciiPtr VL HIS E 


tfDnsLabelToAscii(resourceRecordAfterNamePtr + Oxc, asciiPtr, dnsHeaderPtr, 1, 0); 


*Pseudo-code 


Vulnerability #3: Bad RDLENGTH 


e LabelEndPtr is calculated based on the RDLENGTH field of the 
current resource record. 


e RDLENGTH is attacker-controlledl Oops... 


| NAME ` TYPE | CLASS RDLENGTH RDATA 


86400 | 207 le ës jnë : sje ee 
| | 1abe1Endptr 


e tfDnsExpLabelLength returns 5; 
¢tfDnsLabelToAscii will copy the entire MX hostname. 
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Artifact: Memory Leak 


if (RDLENGTH <= remaining size) { 
labelEndPtr = resourceRecordAfterNamePtr + 18 + RDLENGTH; 
if (cacheEntryQueryType == DNS TYPE MX 88 rrtype == DNS TYPE MX) 1 
addr info = tfDnsAllocAddrInfo(); 
if (addr info != NULL && RDLENGTH >= 2) { 


memcpy (&addr info->ai mxpref, resourceRecOÓmqdAfterNamePtr + 10, 2); 
labellength = tfDnsExpLabelLength(resourceRecordAftexNamePtr+@xc , dnsHeaderPtr, labelEndPtr) ; 
addr_info->ai_mxhostname = NULL; 
if (labelLength != 0) { 
asciiPtr = tfGetRawBuffer(labelLength) ; 
addr_info->ai_mxhostname = asciiPtr; 


if (asciiPtr VL HIS E 


tfDnsLabelToAscii(resourceRecordAfterNamePtr + Oxc, asciiPtr, dnsHeaderPtr, 1, 0); 


*Pseudo-code 


Artifact: Memory Leak 


* An addrinfo structure can be leaked during MX parsing logic. 
e Size of the leak Ox3c. 


e Comes in handy when exploiting heap vulnerabilities. 
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CVE-2020-11901: Summary 


Treck 


Vuln #1: 


Vuln #2: Vuln #3: Artifact: 


Version 


Old 


New 


VA Affected 


X Not affected 
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Read OOB 


v^ 
X 


Integer Overflow Bad RDLENGTH Memory Leak 
A device can be affected by one or more vulnerabilities 
depending on the exact version. 


Exploitation 


Exploiting CVE-2020-11901 on Schneider Electric UPS Device 


Target Device 


e Schneider Electric APC UPS network card 


e Turbo186 (x86-based) 


* 16-bit Real Mode 
* No ASLR or DEP 
* Weird segmentation (shift 8 instead of 4) 


* No debugging capabilities 
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* Only limited crashdumps 


Current stack at SS: SP 06d1: 057e 


46f29a30000007c0 


9PoO005f000000 
8 54112d017a064710 
BC epp 000000000a079822 


Register Set 


AK = 0120 
BX = 0120 
CX = £000 
DX = 07b6 
SI = 017c 
DI = 0000 
BP = @5fe 
CS = c046 
DS = 001b 
ES = 07b6 


Vulnerability Recap 


* Primitive: heap overflow via DNS response parsing 
e Only alpha-numeric characters are copied" 


* We will exploit using "bad RDLENGTH" (#3) 


Treck Version Vuln #1: Vuln #2: Vuln #3: 


Read OOB Integer Overflow Bad RDLENGTH 
Old VA 
New X 


VENE 
"X v (Y 


Exploiting Heap Overflows 


* Metadata corruption 
* Free-list pointers, block sizes, etc. 
* Application-specific data structures 


* Metadata exploitation considered more generic 
e As demonstrated in our exploit of CVE-2020-11896 


* Can we use the same technique here? 
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Treck Heap (in this case 


* Heap structure slightly different this time 


Free List Block 


(4 bytes) 


l Free List B (4 bytes) 
e Tightest fit favored 


(4 bytes) 


e Adjacent free blocks are coalesced 


e Free-list checked on every heap operation 
e Pre and post sizes verified against each other 


e Allocated blocks checked only when free()'d 
* Avoiding a premature crash with alpha-numeric overflow is hard... 


Exploitation Technique 


e We can overflow through all DNS response types 

* When the device boots*, 3 MX requests are transmitted 

* Interactivity in exploits is advantageous 
* Allows easier shaping 

* Crashing is favorable in order to reach deterministic state 
* No penalty* for crashing the network card 
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Overflow Target 


tsDnsCacheEntry 


e tsDnsCacheEntry tsDnsCacheEntry *dnscNextEntryPtr 
e Contains a list of addrinfo structs EE 
e addrinfo holds the contents of a addrinfo *dnscAddrInfoPtr 


DNS answer (name, IP address, ...) 


char *dnscRequestStr 


* Has many pointers and interesting fields — — 8 


* Many references in DNS response parsing 


short dnscFlags 
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CNAME Processing 


if (found cname) { 


first addr info = t dns cache entry->dnscAddrInfoPtr; 
if (first addr info) { 


length = tfDnsExpLabelLength(cname_rdata_ptr, packet ptr, cname rdata end ptr); 
if (length) 1 


cname label buffer = tfGetRanBuffer (length): 
if (cname label buffer) { 


tfDnsLabelToAscii(cname rdata ptr, cname label buffer, packet ptr, 1, 0); 
first addr info-»ai canonname - cname label buffer; 


ES *Pseudo-code 


Controlled Pointer Write 


* We can write a 4-byte pointer 
* (Offset, Segment) 


* To any alpha-numeric address 


* Relatively strong exploitation primitive 
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Linear Overflow 


e Overflow is from end of MX name buffer 


Pre- Post- 
Size 


MX Name Butter SC tsDnsCacheEntry 
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Linear Overflow 


* Overflow is from end of MX name buffer 
e tsDnsCacheEntry must be placed after MX name buffer 


MX Name Buffer EVIL CONTENTS 
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Heap Shaping - Limitations 


* Overflow target: tsDnsCacheEntry 
e Allocated on DNS request creation 

e Overflow source: MX name buffer 
* Allocated on DNS response parsing 

* Corrupting free blocks will result in a crash 
e We must overwrite only allocated data 


Heap Shaping — Target Shape 


* A specific hole pattern would allow us to overflow tsDnsCacheEntry 
* Because of tight-fit preference 


Hole #1 => MX name buffer separator | Hole #2 => tSsDnsCacheEntry separator ... Tail 


e Allocation primitives required to attain this shape 
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Temporary Allocation 


Every DNS answer that contains a name (MK, PTR, CNAME) causes 
allocation 


* Controlled size, controlled contents 
* All answer types (except CNAME) get a new addrinfo as well 


* This allocation is free()'d after DNS parsing fails 
* Or DNS TTL expires 


* Good for creating arbitrary sized free regions 


addrinfo Memory Leak 


if (t dns cache entry.dnscQueryType == DNS TYPE MX 88 answer rr dns.type == DNS TYPE MX) 
d 

new addr info = tfDnsAllocAddrInfo(); 

if (new addr info) 

d 


if (answer rr dns.rdlen >= 2) 


Heap Shaping - Done! 


* The two allocation primitives are used to shape the heap 


Hole #1 => MX name buffer separator | Hole #2 => tsDnsCacheEntry separator 


* Reliable overflow of tsDnsCacheEntry 


* What can we overwrite with the CNAME pointer write primitive? 


Pointer Write Limitations 


e CNAME pointer written to address in tsDnsCacheEntry 

* Overflow is only alpha-numeric, with trailing null-byte 
* Can be used as segment MSB 

e Nothing placed in a strictly aloha-numeric address 

e Combine two alpha-numeric bytes => Non-alpha-numeric segment 


0x004B << 8 = OxA4BOO 
+ 

t 0x4141 — Offset 

OX8C41 


Segment 


008C:0041 


* This allows us to overwrite heap utility functions 
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Overvvriting a Far Call 


* Far calls in x86 are encoded with a pointer 


e Patching a far call using our primitive results 
in the CNAME buffer being executed 


offset segment 


* We patch a far call in free() error flow 
* Called when metadata corruption is detected 
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Recap 


MX Name Buffer tsDnsCacheEntry dnscAddrinfoPtr 
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Recap 


| NAME TYPE RDLENGTH RDATA 
SNE Mr e: 


1234:5678| => “EVIL.PAYLOAD” 


sub free: 


1234:5678 
MX Name Buffer AAAAAAAAAAAAAAA 004B:4141 call -cate+deeéd— 


———————————————. --—---------------2 


addrinfo *dnscAddrInfoPtr 
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Payload Trigger 


* free() error flow will be triggered on overflown MX name free 
e CNAME buffer contains crafted alpha-numeric shellcode 
e 2-stage decoder 
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Payload Trigger 


* free() error flow will be triggered on overflown MX name free 
e CNAME buffer contains crafted alpha-numeric shellcode 
e 2-stage decoder 


* We have achieved arbitrary payload execution! 


DEMO 


JSOF 


Thanks for listening! 


info@jsof-tech.com 


